CMake: Add a hardening-check target.

On Windows, add a hardening-check target which checks for DYNAMICBASE
and NXCOMPAT using the PowerShell script Get-HardenFlags.ps1.
For a Visual Studio solution, run the check by calling:

    msbuild /m /p:Configuration=RelWithDebInfo hardening-check.vcxproj

using the config as appropriate for your build.

Otherwise if we find the Debian/Fedora hardening-check script add a
target which runs it for each of our executables.

Change-Id: I62263e81d155c66e8c8edc751ffab535bf9f3b96
Reviewed-on: https://code.wireshark.org/review/10641
Reviewed-by: Gerald Combs <gerald@wireshark.org>

1 files changed, 84 insertions, 0 deletions

diff --git a/tools/Get-HardenFlags.ps1 b/tools/Get-HardenFlags.ps1
new file mode 100644
index 0000000000..3e2ea3f3b4
--- /dev/null
+++ b/tools/Get-HardenFlags.ps1
@@ -0,0 +1,84 @@
+#
+# Get-HardenFlags - Checks hardening flags on the binaries.
+#
+# Copyright 2015 Graham Bloice <graham.bloice@trihedral.com>
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+#requires -version 2
+
+# Get-HardenFlags does:
+#   call the dumpbin utility to get the binary header flags
+#   on all the binaries in the distribution, and then filters
+#   for the NXCOMPAT and DYNAMICBASE flags.
+
+<#
+.SYNOPSIS
+Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
+
+.DESCRIPTION
+This script downloads and extracts third-party libraries required to compile
+Wireshark.
+
+.PARAMETER BinaryDir
+Specifies the directory where the binaries may be found.
+
+.INPUTS
+-BinaryDir Directory containing the binaries to be checked.
+
+.OUTPUTS
+Any binary that doesn't have the flags is written to the error stream
+
+.EXAMPLE
+C:\PS> .\tools\Get-HardenFlags.ps1 -BinaryDir run\RelWithDebInfo
+#>
+
+Param(
+    [Parameter(Mandatory=$true, Position=0)]
+    [String]
+    $BinaryDir
+)
+
+# CD into the bindir, allows Resolve-Path to work in relative mode.
+Push-Location $BinDir
+
+# Retrieve the list of binaries.  -Filter is quicker than -Include, but can only handle one item
+$Binaries = Get-ChildItem -Path $BinaryDir -Recurse -Include *.exe,*.dll
+
+# Number of "soft" binaries found
+$Count = 0;
+
+# Iterate over the list
+$Binaries | ForEach-Object {
+
+    # Get the flags
+    $flags = dumpbin $_ /HEADERS;
+
+    # Check for the required flags
+    $match = $flags | Select-String -Pattern "NX compatible", "Dynamic base"
+    if ($match.Count -ne 2) {
+
+        # Write-Error outputs error records, we simply want the filename
+        [Console]::Error.WriteLine((Resolve-Path $_ -Relative))
+
+        $Count++
+    }
+}
+
+exit $Count
\ No newline at end of file